Whenever a company Implements SSIM or a similar product , the security department deploys it on a large number of Servers,devices and databases and monitor them for a while .Meanwhile the IT team launches their upgrade projects and start replacing or upgrading the monitored devices to latest versions .Sometimes they involve the security department in the process and sometimes it doesn't happen .Mostly these activities are done during weekends and it is possible that your configuration on monitored device is lost during the upgrade and you may or may not get alert that a certain device is not sending logs .So if you miss that alert , you never know the Problem until one day you wants to check for a specific day logs and you don’t find it .When check around ,you find that the Server was upgraded a month ago and the log collection is not working since then .The objective of this article is to alarm you whenever a certain device stops sending the Logs .
In order to know when a particular device stops sending Alerts ,you can use System State Monitor .In order to configure this ,
Go to Rules | Monitors | System Monitors | System State Monitor
Define the threshold as per your company’s policy .
Define priority and Severity ID .
Under Action ,update the Description .
Assign it to a User Or configure an Email Alert for a certain Team
And they will get an email like this . Once email is received ,the operator can check the status .The same will also be saved as an Alert on SSIM Incidents Tab so if your staff missed the email ,they should still see the daily Alerts and handle them accordingly .
In Part 2 , we will discuss an Alternate way of monitoring in case if you are under staffed and and need a quick way to Know that your Key Assets are Logging or not .